Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

The Role of a Security Program

Typically, a lack of awareness is one of the prime reasons for not adhering to requisite security guidelines and consequential security breaches. For instance, when a person ignores an advisory about how laptops left visibly in cars can be stolen or a travel advisory warning against travelling by taxi or other unknown vehicle, there is an increased risk for information security breach. Similarly, failure to create a strong password on your work computer can result in information security breaches at many levels, endangering you and your organization's reputation.

Awareness is the number one step in ensuring security, both physical security and information security.

Awareness ensures that the chances or risks of vulnerability and threats to security are reduced considerably. Toward this end, it is essential to provide organizationwide security awareness programs to all employees (permanent or temporary), contractors, suppliers/vendors, customers, and all other relevant stakeholders who have access to the organization or its information. In order to achieve this, organizations need to ensure regular security awareness programs spanning various aspects of their life in the organization, clearly explaining what can go wrong. However, to ensure that all these stakeholders understand why security is important, it is essential for the success of any security program. Still, as the saying goes, “Knowing but not doing is equivalent to not knowing at all”, and it is up to the individual participants of these programs to take the message and content of these programs seriously and implement them in letter and in spirit.

It is not enough that such a security program is in place and is conducted only once for the entire organization. This has to be an ongoing process to ensure that any new stakeholders, including new employees, are trained invariably. In addition, the organizational structure and environment (internal and/or external) may undergo changes which may lead to different vulnerabilities and threats. Hence, it is necessary that these programs are regularly reviewed, updated, and all the relevant stakeholders are trained on the changed scenarios and made aware of new risks.

All programs should take into account the risks the organization is currently undertaking and the controls they have painstakingly put in place for any security violation which defeats the very purpose of such controls. Involving each and every person is important for the success of any Security Program. Any person who is not aware of the security requirements, like a new security guard, employee, system administrator, or a new manager, can endanger the entire organization.

Moreover, in addition to the regular security programs as mentioned above, strong audits/assessments/compliance checks to ensure compliance to the policies, processes, and instructions of the company towards its security are to be adhered to without fail. A good execution is required to ensure the success of any well-intended program. However, execution is possibly the weakest link when it comes to most of the entities as well as most countries. Hence, regular checks carried out by competent and independent personnel of the organization or external agencies who do it not for the sake of just checking, but carry them out with the true intention and goal of bringing out any compliance weaknesses to the fore, is essential. Many times, reports of such compliance checks are beautifully made and wonderfully presented to the management but more often are totally forgotten, which could eventually lead to these documents creating liabilities when the suggested resolutions are not acted upon. Any compliance check with actions not being taken seriously on weaknesses found during the check is as good as a compliance check not being carried out in the first place! The better the compliance check carried out with extreme focus by the competent personnel and with extreme focus on the actions to be taken (and actually taken), the better the entity will be!

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science